FC3: selinux-policy-targeted-1.17.30-3.15 seems to have broken gpg...

Fri Jul 1 17:16:13 UTC 2005

Jason L Tibbitts III wrote:
>>>>>>"MWC" == Michael W Carney <michael.es.carney at sbcglobal.net> writes:
> 
> 
> MWC> Jul 1 07:40:13 lucy-01 kernel: audit(1120228813.336:0): avc:
> MWC> denied { execmod } for pid=5567 comm=gpg path=/usr/bin/gpg
> MWC> dev=sdb5 ino=67343 scontext=user_u:system_r:unconfined_t
> MWC> tcontext=system_u:object_r:bin_t tclass=file
> 
> I'm seeing the same thing.  If I do
> 
> chcon system_u:object_r:shlib_t /usr/bin/gpg
> 
> then things work again, but that's probably the wrong thing to do.

That is an acceptable workaround.  /usr/bin/gpg from FC3 has two relocations
to .text, which targeted policy does not allow.

-----selected lines from:  readelf --all /usr/bin/gpg
  LOAD           0x000000 0x00000000 0x00000000 0xa1920 0xa1920 R E 0x1000
  LOAD           0x0a2000 0x000a2000 0x000a2000 0x031e4 0x04768 RW  0x1000

 0x00000016 (TEXTREL)                    0x0    ## the clue

Relocation section '.rel.dyn' at offset 0x2194 contains 794 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0007922e  00000008 R_386_RELATIVE   ## 0x7933e < 0xa1920
000792be  00000008 R_386_RELATIVE
000a20fc  00000008 R_386_RELATIVE
-----

Those .text relocations are not present in FC4.
It is possible to find all such cases of brokenness by using
   readelf --dynamic main_or_.so  |  grep TEXTREL
for all executable modules (main programs, shared libraries, dynamic modules).
The maintainers of selinux-policy-targeted should have done so,
and warned in the changelog.

-- 